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ABSTRACT 


The major objective of this study is to identify a simplified methodology to reconstruct 
a secret that is distributed using Shamir’s Secret Sharing Scheme, and to use the derived 
results to investigate implications on Advanced Encryption Standard. This thesis begins by 
using existing mathematical conjectures to simplify a monic polynomial generated by the 
dealer in a threshold secret sharing scheme. The second part of the thesis then identifies 
the variable bounds that an individual (eavesdropper or outsider) can use to reconstruct the 
secret by gathering just two shares out of multiple public shares. In conclusion, the findings 
from the first two parts of the simplified secret sharing scheme can be effectively used to 
identify weaknesses of side-channel attacks, and subsequently applied to improve on the 
mechanics of Advanced Encryption Standard. Future work could include generalizing the 
methodology to include non-monic polynomials, or exploring the use of prime coefficients 


in the dealer-generated polynomial. 
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Executive Summary 





There are many secret sharing schemes and variations available to hide and reconstruct the 
given secret. Shamir’s Secret Sharing Scheme, making use of linear Lagrange interpolation 
on the dealer-generated polynomial, was used to reconstruct the secret from the stipulated 
threshold number of participants’ shares. Such a scheme had been widely analysed by 
mathematicians and computer scientists for potential weaknesses in the reconstruction of 


the secret by an external eavesdropper. 


The objective of this thesis report is thus to present a variation of Shamir’s threshold secret 
sharing scheme by manipulating the dealer-generated polynomial into a simplified version 
such that any eavesdropper can reconstruct the secret by gaining two public shares, instead 
of the stipulated threshold level. The envisaged improvements would then be evaluated for 


any impact on side-channel effects on the Advanced Encryption Standards. 


Existing and famous mathematical conjectures (including Pillai’s conjecture, the Fermat- 
Catalan conjecture, and Hall’s conjecture) were built upon to seek a potential weakness in 
the security of the current secret sharing scheme. Essentially, the analysis aimed to reduce 
the order of difficulty in reconstructing the secret. Assuming that the dealer-generated 
polynomial is monic, it is then deconstructed by applying a composite linear function in 


which two additional variables are introduced. 


In general, assuming that the original form of the dealer-generated polynomial is f(x) = 
ag + a,x + ax” +-+»+ ag_,x*!, by composing it with the linear function g(x) = x+a, 
the eventual form of the dealer-generated polynomial can be manipulated to be in the form 
of f(x) = (x+a)* — bo, where both @ and bo are the two newly introduced variables. The 
challenge then is reduced to finding the values of both a and do. 


It was postulated that an eavesdropper would be able to recover the secret by simply obtain- 
ing two public shares, namely (x;,y,) and (x2,y2), from the multitude of available public 
shares, and this could be achieved by determining the numerical boundaries for the variable 
a. Specifically, all encompassing cases, without loss of generality, were considered to en- 
sure that all possibilities were not neglected. The start state would be to take the difference 


between the two y-values that were easily obtained. From there on, it is just a matter of 


Xlil 


manipulating the inequalities to screen out the boundaries of @. Once the boundaries of a 
were found, then it would be trivial to try out the available choices for @, and subsequently 
bo, and eventually the secret. 


While this methodology does not allow for the absolute reconstruction of the secret as com- 
pared to Lagrange interpolation, it presents an alternate methodology for an eavesdropper 
to retrieve the secret using shares that are significantly less than the required threshold 
number. The boundaries reduced the possibilities of the secret value from a near-infinite 
number to a manageable cardinality size that could be derived through exhaustive means. 
The crux is that as long as two shares are gathered together, the value of a can be derived 
easily through exhaustive means. Once the value of & is found, then it remains trivial to de- 
termine bo through the equation y; = (x;-+ a)* — bo, where (x;, y;) are known public shares. 
Subsequently, the secret is reconstructed to be f(0). 


Therefore, it is important for the dealer to generate the polynomial with coefficients that do 
not contain a common factor. From this thesis analysis, it was concluded that the common 
factor, if accidentally found by an eavesdropper or outsider, can be used to reconstruct the 


secret efficiently by using only two public shares. 


Such findings pave the way for an alternate methodology to recover the secret with less- 
than-expected available information. It effectively reduces the order of evaluating the 
monic polynomial, since only linear algebra is involved. This stems from the motivation 
that linear equations are easier to solve, and in cryptography, linearity presents a less se- 
curity form for any eavesdropper to break through. Thus, for improved security, the dealer 
should avold generating the polynomial using successive binomial integers as its polyno- 


mial coefficients, further amplifying the importance of the dealer. 


A lot of research had been focused on the perfect secret sharing scheme. While there are no 
known weaknesses to Shamir’s Secret Sharing Scheme, many researchers had focused on 
the computational inefficiency if the generated polynomial comprises large degrees. While 
many improvised secret sharing schemes have proven more effective than Shamir’s Secret 
Sharing Scheme, they have only been better under certain parameters; there is always a 


trade-off with some parameter of the scheme. 
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CHAPTER 1: 


Introduction to Secret Sharing 





Imagine you have been given the task of finding out the average salary of a room full of 
N highly successful individuals. The obvious way is to sum up all the individuals’ salaries 
and average the summation over the total number of people in the room. The problem is 
that none of the individuals want to disclose their monthly income because such figures are 


highly confidential and sensitive. 


Here is a viable solution. Have Person A come up with a random number, say [a], and 
Person A is to add his or her own salary to [@]. This new value is to be passed on to Person 
B, who will then add his or her own salary to the new value received from Person A. Now, 
Person B does not know how much Person A’s salary is, since he or she does not know 


what random number [@] Person A has chosen. 


The process repeats itself until the last person in the room, Person N, receives the new 
value from the second-to-last person, Person N — 1. Person N continues to add on his 
or her salary, and the final value, say [8], is then passed back to Person A. At this stage, 
Person A simply needs to deduct [a] from [f ] (since only he or she knows what [cq] is), and 
average this sub-total over the number of people in the room, N. In this way, the average 


salary in the room can be obtained, without any person revealing his or her income. 


The value of [@] is critical in this instance, as it provides a gateway to gather information 
from multiple sources without each source revealing unwanted information that should 
otherwise remain secret. For example, if any person in the room other than Person A would 
know the value of [@], then he or she could find out Person A’s income by simply providing 


the information to Person B and having Person B perform the arithmetic. 


Consider another secret sharing example. A bank vault in a highly secured bank requires 
three keys to open. The key holders are already designated to be two of the bank’s top hier- 
archy. But strict financial regulations state that no one person should be in total possession 
of the three keys, for fear of corruption. The logical partition would be to split the keys 


between these two personnel. With both needing equal authority over the safekeeping of 


the bank vault, this constitutes a conundrum. 


The two-man rule states that all actions and access requires the presence of two authorized 
people at all times. In the bank vault secret sharing example, the logical way to follow this 
rule is to let Person A hold on to Key 1| and Key 2, and Person B hold on to Key 2 and Key 
3. In this way, no single person can open the bank vault (since the vault needs three keys), 
and both authorized persons (given equal authority by holding two keys each) need to be 


present in order to open the vault. 


The methodology of sharing secrets (or, splitting secrets) was independently invented by 
Adi Shamir [1] and George Blakley [2] in 1979. Being one of the most well-known and 
dominant secret sharing schemes, in this thesis, Shamir’s Secret Sharing Scheme [1] is 


mainly analysed. 


1.1 Shamir’s Secret Sharing Scheme 

Shamir’s Secret Sharing Scheme comprises the general distribution of shares to various 
n participants, where each participant is holding on to a unique share. In order to re- 
construct the secret, some or all of the parts are needed. Since gathering all the participants 
to reconstruct the secret may be impractical, the threshold scheme is thus formulated where 
any k parts will be sufficient to re-construct the secret. This is also known as the {k,n} 
threshold scheme. If k = n, then all participants are required in order to reveal the secret. 


In general, the secret S is divided into n pieces of data $1,S$2,...,S,, in such a way that 


e k or more S; shares is enough to piece together the secret. 
e k—1 or fewer S; shares is not enough to determine the secret (other than trying all 


possibilities). 


1.1.1 Secret Sharing Example using a Quadratic Polynomial 
Assume that the secret value to be kept is 4,321 (1.e., S$ = 4,321), and the threshold scheme 
is to be set as {3,7} (i.e., any subset of three shares out of the possible seven shares is 
sufficient to construct the secret). Randomly, (&k — 1) integers are picked to construct the 
(k — 1)" degree polynomial: 

a, = 69,a2 = 213. 


The polynomial to produce the required number of secret shares is thus constructed to be 


f (x) = 4321 + 69x +2132”. 


(1.1) 


Since there are seven shares, seven points are then constructed from Eqn. (1.1). These 


seven points are as follows: 


Table 1.1: Seven Points Constructed from a Quadratic Polynomial 





y= f(x) 











NNO” FW NY KF] Bs 


4603 
5311 
6445 
8005 
9991 
12403 
15241 











In order to reconstruct the secret, any three shares are sufficient. Consider the following 
three random points Pp = (xo, yo) = (1,4603); Py = (x1, 1) = (3, 6445); and P) = (x2, y2) = 
(5,9991). The theory of Lagrange polynomial interpolation is used to reconstruct the se- 


cret: 


X—X1 X-X. x-3 





x9 —X1 X90 —X2 7 1-3 
X—X9 X—X x—1 








x4 —XQ X1 —X2 - 3S" 
X—XxXQ X—X x—1 








xX —XQ X21 —X] — 51" 





x—5 

Hae = g(e-3)(e-5), 
x—5 

oF = =F (0-1) (0-3), 
x—3 1 

= = g(t 1-3) 


By Lagrange interpolation, the polynomial is recovered by using 


= [g(e-3)(e—5)] x 4603 + Fle 1)(x—5)] x 6445 + ace 1)(x—3)] x 9991, 


= 43214 69x +213x?. 


The constant coefficient (or ag) found to be equal to the initial secret value, and the secret 


reconstruction is complete. 


1.1.2 Secret Sharing Example Using a Cubic Polynomial 
If a minimum of four shares were desired for the secret reconstruction for a {4,7} threshold 
scheme, then a cubic polynomial will be formed. Consider the following example: 














S 36, a\ 6, ad 4,a3 2: 
The polynomial is now constructed as 


g(x) = 36+6x+ 4x7 42x°. 


The seven points constructed from g(x) are as follows: 


Table 1.2: Seven Points Constructed from a Cubic Polynomial 
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Since four shares are required, consider the following four random points Py = (x0, yo) = 
(1,48); P= (x1,91) = es 144); P= (x2, y2) = (5,416); and P; = (x3, y3) = (7,960). 


Lagrange interpolation is applied and the following is obtained: 














ee eens 2 a es —FyO-3)(x-5)(x-7) 
pope EER LEE Le neste 
ection 
(x) == A ea 2 = Fle-De-3)-5). 


The polynomial is then recovered by using 





| 
= [-Zy(-3)(—5)(%—7))] x 484 
Lo DG=5\e=7)) x 144 
[Ze (— 1)(@—3)(e—7)] x 416+ 
[gO 1-3) (-5)] 960, 

= 36+ 6x+4x + 2x°. 


The constant coefficient (or ag) is equal to the initial secret value, and thus the secret re- 


construction is complete. 


In general, in order to implement the {k,n} threshold scheme, a polynomial of degree k — 1 
is required. The degree k — 1 polynomial will have k coefficients that can be recovered by 


any system with any k equations. 


1.2 Formal Definitions for Abstract Algebra 


In order to aid in the analysis of Shamir’s Secret Sharing Scheme (SSSS), and to simplify 
the polynomials used in the scheme, it is necessary to define some basic theorems on linear 
and abstract algebra. Much of the information can be obtained from related mathemati- 
cal texts, such as John B. Fraleigh’s A First Course in Abstract Algebra [3]. The related 


definitions from the text are extracted and presented here. 


1.2.1 Abstract Algebra — Groups, Rings, Fields, Finite Fields 
Definition 1.2.1. [3, pp. 37-39] A group < G,* > is a set G, closed under a binary 
operation *, such that the following axioms are satisfied: 

G,: For all a,b,c € G, the associativity of *, (a*b) *c =ax(bx*c) holds. 

G>»: There is an element e in G such that for all x € G, exx =x*«e =x. This is also known 
as the identity element e for *. 

G3: Corresponding to eacha € G, there is an element a’ € G such that axa’ =a! *a=e. This 
means that the inverse of a exists. A group is abelian if its binary operation is commutative. 


Definition 1.2.2. [3, pp. 167] The most general algebraic structure, ring < R,+,- >, is 
a set R together with two binary operations + and -, namely addition and multiplication, 
defined on R such that the following axioms are satisfied: 

&: <R,+> is an abelian group. 

Ry: <R,- > is associative, or monoid. 

&3: For all a,b,c € R, the left distributive law a-(b+c) = (a-b)+(a-c), and the right 
distributive law (a+b)-c = (a-c)+(b-c) hold. 


Definition 1.2.3. [3, pp. 172-174] By extension, a field < F,+,- >, is a set F with 
two binary operations, namely addition and multiplication, defined on F’, and satisfies the 
following axioms: 

F\: < F,+ > is an abelian group. 

Fy: < F*,- > is an abelian group. 

F»: For all a,b,c € F, the distributive law a- (b+ c) = (a:b) +(a-c) holds. 


Definition 1.2.4. [3, pp. 300] A finite field is thus a field with a finite number of elements. 


It is known, and easy to show that, for every prime p, and positive integer n, there is exactly 


one finite field (up to isomorphism) of order p”. [Usually], this field [denoted] GF (p”) is 
referred to as the Galois field of order p”. 


In general, since the identity condition is required to be different for addition and multipli- 


cation, there must be at least two elements in every field. Some common examples include 














Q, R, C, that is, the rational numbers, the real numbers, and the complex numbers, respec- 
tively. It must be noted that Z, the integers, form only a ring. Thus, in this thesis, both the 
integer ring Z, and the prime field Z,, where p is a prime number, are often referenced; the 


latter is mainly due to the unique properties of prime numbers. 


1.33. Research Objective 

The purpose of this thesis is to analyse Shamir’s Secret Sharing Scheme and to identify 
weaknesses and potential improvements, and to build upon them to discuss the side-channel 
effects on the Advanced Encryption Standard (AES). 


The following questions are asked: 


e Can pre-existing conjectures and theorems be used to improve and/or weaken the 
security and simplify the computational complexity of the present secret sharing 
scheme? 

e Can the improvements to the current secret sharing scheme prove to be beneficial in 


strengthening/weakening AES encryption, such as side-channel analysis? 
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CHAPTER 2: 
Analysis of Shamir's Secret Sharing Scheme 





2.1 The Importance of the Dealer 
For a {k,n} threshold scheme, the dealer computes the degree (k — 1) polynomial and 
embeds the secret within the polynomial. The dealer also has to provide the public values 
by computing the required outputs using certain inputs. The generated polynomial is of the 
form 

f(x) =antayx+anx? +--+ ag_ px}, (2.1) 


where dp is the secret and aj, 1 <i <k—1, are chosen randomly. 


2.2 Order of Difficulty in Reconstructing the Secret 

In this thesis, it is assumed that the Lagrange interpolation to reconstruct the secret is 
done over an integer ring. Performing arithmetic over the integer field Z, will, however, 
improve on the computational efficiency, as is discussed later. For example, if the Lagrange 
interpolation is done over the residue field Z, (that is, over modulo p), then the order of 


computational complexity is O(p*). 


2.3 Simplifying Secret Sharing Polynomials — Potential 
Weakness? 

The initial degree (k — 1) polynomial f(x) is created by the dealer. There is no way to 

retrieve the secret unless at least k participants come together to reconstruct the secret 

using Lagrange interpolation. A viable idea to improve the simplicity of the polynomial is 

to introduce a composition of another function that may be easier to dissect with existing 


mathematical tools. 
Consider the following manipulation of the polynomial functions: 


Let f(x) = h(x) o g(x), where 
f(x) is the degree (k — 1) polynomial generated by the dealer; 


h(x) is the desired final simplified polynomial of the form (x — a) — bo; and 


g(x) is a linear function to be applied to A(x) to form the original polynomial. 


Consider first the composite function g(x) = x+ a, and the following is obtained. First, 
it is desired to simplify f(x) to be in the form of f(x) = x* — bo, for some coefficients in 
the dealer-generated polynomial. Hence, f(x) = h(g(x)) =h(x+ a) =x* — bo. Therefore, 
h(x) = f(x—@), and so, 


h(x) = f(x— a) = (x— a)" — bo, 


= [its (te! + (ay e+ a] te 





hd 
at ba ep + a — bo, 
i=l 


where c; = ({)(-a)i. 


It is clear that the values of c; correspond to the coefficients of the original dealer-generated 


polynomial. 


If the value x = 0 is applied into the final form of Eqn. (2.2), the output will correspond 
to the hidden secret, since it is known that the secret is the value of ag in the original 
polynomial generated by the dealer in Eqn. (2.1). 


Therefore, from Eqns. (2.1) and (2.2), the secret can be derived as the coefficient without 
any x terms: 
Secret = ay = (—a)* — bo. (2.3) 


If the values of @ and bo are known, then the secret is unravelled. The challenge then, is to 
find the values of a and bo, if they are unknown, in order to reconstruct the secret. 


2.4 Finding the Values of @ and bo 


If the Lagrange interpolation is performed modulo p, then finding the value of &@ is of order 
O(p*), and likewise for the finding of bo. Therefore, if both @ and bo are unknown, the 


whole problem of finding both values escalates to order O(p* x p*) = O(p”). 


10 


The famous Pillai’s conjecture, and various other conditions related to the conjecture, are 


used to simplify the range of values of both @ and bo. 
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CHAPTER 3: 
Applying Pillais Conjecture to Secret Sharing 
Schemes 





3.1  Pillai’s Conjecture (General) 
Herschfeld (1936) [4] showed that the equation 3* — 2” = c, for |c| sufficiently large, has 
at most a solution in positive integers x,y. In the same year, Pillai extended this result, by 


considering the exponential Diophantine equation 
a—b =c, 


and proved that there exists a finite number of positive integer solutions (a,b,x,y € Z), 
with x > 2 and y > 2, to this Diophantine equation [5], provided |c| > co(a,b), for some 
constant co(a,b), which unfortunately is ineffectively computable. Pillai conjectured that 
co(3,2) = 13, this being proved in 1982 by Stroeker and Tijdeman [6], using methods based 
on Baker’s linear forms in logarithms. The general Pillai’s conjecture (see Conjecture 3.1.1, 
following) that gives an estimate for co will be mostly used to find a weakness in Shamir’s 
Secret Sharing Scheme. The quantitative refinement of the already mentioned (general) 


Pillai’s conjecture is also discussed by Waldschmidt [5]. 


Conjecture 3.1.1. For any € > 0, there exists a constant K(€) > 0, such that, for any positive 
integers a,b,x >2,y > 2, with a* # b’, then 


x y xX ys (1-+-1-e) 
|a* —b”| > k(€) x max(a*,b”) ey” (3.1) 


3.2 Fermat-Catalan Conjecture 
This conjecture was proposed based upon both Fermat’s Last Theorem, and Catalan’s con- 
jecture. In 1995, Richard Taylor and Andrew Wiles [7] co-published an article thereby 


proving Fermat’s Last Theorem. 


Theorem 3.2.1. Fermat’s Last Theorem states that for any integer n that is greater than two, 
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there do not exist any three (strictly) positive integers a, b, and c that satisfy the equation 


a’ +b" =c". 

Referencing Conjecture 3.1.1, in 2002, Mihailescu [8] proved Catalan’s conjecture. 
Conjecture 3.2.1 (Mihailescu Theorem). The only solutions to the equation a* — b® = 1 
are 37 and 23, 

The Fermat—Catalan conjecture combines the ideas of Fermat’s Last Theorem and Cata- 
lan’s conjecture. In 1995, Darmon and Granville [9] proved the conjecture. 


Conjecture 3.2.2. The equation a” + b” = c* has a finite number of solutions that satisfy 
the inequality 1 + , a i <1 


Definition 3.2.1. Two integers a and b are coprime if the only positive integer that evenly 


divides both a and b is 1, that is, if their greatest common divisor, gcd(a,b) = 1. 


3.3. Motivation 
By Theorem 3.2.1 and Conjecture 3.2.2, it is inferred by Waldschmidt [5] that, Ve > 0, 
Ak«(e€) > 0 such that 





a — bY =c= |a' —b| > k(e) x max(a’, D>). (3.2) 


From Catalan’s conjecture, the equation a‘ — b” yields a constant c. This relationship is 
used in conjunction with the Fermat-Catalan conjecture in Definition 3.2.2 to improve the 
efficiency in recovering the secret in secret sharing schemes. The motivation is thus to 
streamline the ranges between a* and b” such that the maximum value between these two 
components can be easily found. Coupled with the relationship that the power (1 — - — ; — 
€) is always < 1, the final value of |a* — b’| will be even smaller. This will greatly reduce 
the computational complexity involved. 


Applications of this relationship are further discussed in the next chapter. 
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CHAPTER 4: 
Exploring Secret Sharing 





4.1 Applying Fermat-Catalan Conjecture to Secret Shar- 
ing Scheme 


Consider the following analysis for the {k + 1,n} threshold scheme. 


Let f(x) be defined as the degree k polynomial generated by the dealer: 
f(x) =agtayxtanx +---+ayr*, (4.1) 


where do is the secret to be shared. 


Assume that there exists @ € Zp, such that h(x) = f(x — a) = x* — bo (consider that the 
dealer-generated polynomial is monic — the case of non-monic polynomials can still be 
dealt with, but one needs at least three shares to be known). In this case, the leading 


coefficient a; of the highest degree term x* is 1. 


Let f(x1), f(x2),.--,f(%n) be defined as the shares to be handed out, where f(x;) = yj. If 
f (x1), f(x2),---,f(%) are known, then the following can be inferred: 


(x; —a)* bo =y1, 


It must be noted that any set of k+ 1 shares is sufficient to recover the secret, even though a 
total of n shares are generated. This is the core essence of Shamir’s Secret Sharing Scheme. 
However, under the assumption, it is possible to recover the secret with significantly fewer 


shares, in this case, two. 
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Taking the difference of any two equations, this leads to the generalized equation where bo 
is eliminated: 
(x; -— a)‘ — (xj -a)* =y;—yj;, (4.2) 


where 1 <i<j<n. 


Note that the right-hand side is known since those are the outputs generated and distributed 


by the dealer to various participants. 


Referencing the extension of Pillai’s Diophantine equation in Eqn. (3.1) leads to 


Replacing a* with (x; — a)*, and bY with (x; — a)” leads to 
1 
I(x; — 0)* — (xj — | > K(e) x max(|x;— a, xj — ae|®)' 
For the purpose of secret sharing, let x = y =k, which results in 


I(x; — a)" — (xj —@1)"| > K€) x max(|xj — oF|f, [xj — a 


Using Eqn. (4.2) in the left-hand side of the above inequality, it is finally deduced that 
Ve > 0, 4k(€) > 0, such that 





2 
1—;-€ 


lvi-y,| = K(€) X max(|x; — atl, |x; — a|*) (4.3) 


4.2 Significance of K(e) 


In 1970, Marshall Hall, Jr. [10], proposed to remove the value of «(€) for the quantitative 


case when x = 3 and y= 2. 


Conjecture 4.2.1. There exists an absolute constant C > 0 such that, for any pair of (x,y) 
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of positive integers satisfying x° ¢ y”, 
fot 
le =r Sex max(x2,y°)' 23) 


This is also known as Hall’s conjecture, which will be drawn upon to further simplify the 
problem (for example, it is further believed that C < 0.96598...). 


Presumably, «(€) is computable and quite small (e.g., see Bennett’s work on Pillai’s conjec- 
ture [11], in particular when |a — b| = 1), so for this purpose, it is possible, for example, to 
assume € to be strictly less than 1 — ‘, in order to find the finite bounds for |x; — a], |x; — | 


(see the analysis in the following sections) . 


4.3 Forming the Inequalities to Find the Bounds for Com- 
puting the Value of a 


Focusing on the right-hand side of Eqn. (4.3), and assuming «(€) = 1, the following arith- 


metic is performed on one of the terms: 


1—2~¢ k=2—ke pee 
(jx; al =([xj-—al) © = (|x; a)? *. (4.4) 


From Inequality (4.3), it is inferred that 
k-2—k 
xj — @| *<bi-yyl, 
1 
Ixj-@| < pi-yJFe*. (4.5) 


With this inequality, the complexity of the problem is now significantly reduced. It is now 
reduced to simply finding the values of a from Eqn. (4.5), whereby the values of xj, yi, y;,k, 


and € are known, and are small enough to compute. 


The order of computational difficulty is now reduced significantly from the initial order of 


O(p*), or O(p7*) if there are two unknowns. 


Applying (an extension of) Hall’s conjecture, whereby the value of € is assumed to be 0, 
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Egn. (4.5) now reduces further to 


1 
(jxj-—@|) < |yi—y |. (4.6) 


4.4 Dissecting the Inequalities 





It was assumed that Ja such that h(x) = f(x— a) = x* — bo, for certain cases of the poly- 


nomial form that was generated by the dealer. 
Since f(x — a) = x* — bo, this can be rewritten as f(x) = (x+ a)‘ — bo. 


Ina {k+1,n} threshold scheme, n shares are generated, namely (x1, y1), (%2,2),--* , (Xn, Yn)s 
where y; = f(x;), for] <i<n. 


Consider the case where it is sufficient to pool together two known pairs (shares). There- 
Pp g 
fore, the following is derived: 
yi = (x1 + @)* — do, 
yo = (x2 + a)* — bo, 
yi —y2 = (x1 +a) — (x2 +0)", 
or, 
yo —y1 = (to +a) — (x, +a)*. 


Solving for the value of @ is not trivial for large values of k, especially if k is prime. A 
prime k, however, will allow performing finite field arithmetic to reduce the bounds of @, 


which is discussed later in greater detail. 











For simplicity’s sake, the labels A := x; + @, and B:= x. +a are applied, hence A‘ = 
(x; + a)*, and Be = (x) + a)*. In addition, it is clear that (A —B) = (x, —x2). 





























The following identity is used 

















(A‘ — B*) = (A—B) x (A! 4 A*?B+---+ AB 74+ BE)), 
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to infer 


























(v1 —y2) = (41 — x2) x (A* PAAR eck ARE oR a 














Mi ¥2 _ (pel 4 ake 2By... 4 Ape? 4Be}), 
X{ —X2 


























It is obvious that the following inequality holds: 











(JAI? + [AL ? BB] +--+ [AIIBIE? + 




















BI!) > max(|Al", |B"). (4.7) 





























Eqn. (4.7) is now used to consider all possible cases of polarity for the values of A, B, 





and parity for the values of k. Note that since k is a known positive value, and > 2, it is 
necessary to only consider cases where k is either even or odd. For the case where k = 2, it 


is easy to find & since y; — yp is just the difference of squares. 


4.4.1 Case1—[A>0,B> 0] 
Without loss of generality (WLOG), assume that A > B (equality cases are impossible). 














Therefore, the following is obtained: 















































YT %2 _ (ak 14 aks... 4 AB 24 BE) 
X1 —X2 
Y1—y2 > max(|A|* 1 Bi 1) |A|t, 
Xx] — X2 
i? > (ln tal) 
X1| —X2 
U2 )FT > (+a), 
X1 — X2 
Y1—y2 riage Y1—y2 aes 
X| — x2 eee * aa, oy) 


With the known values of x1, x2, 1, y2, and k, respectively, both lower bounds and upper 
bounds of &@ are found. 











For the case where both A and B are positive, the parity of k does not matter since applying 














the same exponential power to both A and B does not change the comparison between 





them. To be more encompassing, it is therefore necessary to consider different parity cases 
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of the value of k, along with the polarities of both A and B. Instead of always assuming 














that A > B for all cases (since the value of @ is unknown at this point), the polarity of the 





denominator (x; — x2) is also included in each individual case analysis. 


4.4.2 Case 2— [A <0,B > 0] [k odd] 


With these constraints, and since k is odd, 





y2 —y, = BK- A, 
= BK Alf, 


> max(B*, |A|*). 






































Again, WLOG, consider the case where B* > |A\|*: 





























y2—y1 > max(B*, |A|*) > BF, 














1 1 
—(y2 —y1)* —X2 <A < (v2 —y1)  — Xp. 


With this, the lower and upper bounds of & can be found easily. It is impractical to reduce 











BK + |A|* according to the identity that was mentioned earlier, as it would be indeterminable 














whether B + |A| would be a positive value, and hence the maximum inequality would not 
apply. 





4.4.3 Case 3— [A > 0,B < 0] [k odd] 


In this case, since k is odd, the following is obtained: 





y2 -y1 = BY—A*, 

















yi—y2 = Ak — BF = A‘ + [BI > [AI‘, 




















1 
(v1 —yo)* > |x, +a, 
1 1 
—(y1 —y2)* —x1 <A < (1 —y2)* — x}. 


This essentially gives similar results as Case 2, except for the value interchange between y; 


and y2, and x; being used as the variable difference in this case. 


4.4.4 Case 4— [A,B < 0] [k odd] 


Consider the last case of odd k, with both parameters less than 0. The following is obtained: 














y2 —y, = BY A*, 
BIT + JAI‘, 
= |A\‘—|BI. 





























WLOG, assume that |A| > |B]. Therefore, 





0<y2—y1 = |Al‘— BI‘, 
= (|A| — |B) x (AA? + |A|** |B] +--+ + |BIA), 
= (x1 — x2) x (JA[' + [Al ? |B] +--+ BIA), 
> JAIL, 




































































Thus, 
y2—Yi1 a |A|AT, 


Case 4 now concludes the analysis for odd values of k. The analysis focus is now shifted 


to even values of k. 
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4.4.5 Case 5— [A <0,B > 0] [k even] 


Since k is even, the following is obtained: 











WLOG, now assume that 





y2—-Y1 














0<y).—y, = BY_-|Af, 
= (B—|A)) x ( 
= (x2 — x1) x ( 
= |A|AT. 

















BK _ Ak 
BK |AIF. 

















B > |A|. The following is obtained: 











BT + BEAL +--+ /Al™), 




















BT + BEA +--+ | Al), 





y2-y1 > |x ale 


i as 
(y2-—y1) #1 > [x1 + a], 


| sik: 
—(y2 —y1) FT —x,<a< (v2 —y1)-1 ee ce 


4.4.6 Case 6— [A >0,B < 0] [k even] 


With these constraints, and k odd, 





Now, WLOG, assume that | 











0<y2o-yl =| 


y2—-Y1 








my ts 

















= B* — Ak 
= |B/F- aA‘. 


B| > A. Therefore, 

















BK oe ame 8 
BK sc yee 


BK The 
B|* A | 
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y2—Yi1 = | B|* : 





y2—y1 > feo ta|*t, 


., 
(y2-—y1)*1 > [xo + Ql, 


4.4.7 Case 7 — [A,B < 0] [Kk even] 


The last case for even k, with these constraints, are as follows: 








y2—-y1 = BEAK, 
= |B\‘ — Al‘. 
































At this point, WLOG, assume that |B] > |A|. Therefore, 











0<y2—y1 = |BI‘—|Al‘, 

(|B| — |Al) x ({B|A~! + [BJF 7A] +++: +) A/F), 
(x2 —x1) x ({BI' + [BIE 7|A| +--+ | Al), 
Bl, 





















































IV 








This will produce the same results as Case 6, where the lower and upper bounds are con- 
strained by 











y2—y, > |B," 





y2—y1 > rota, 
il 
(y2-y1) #1 > [xo + all, 


cs <i 
—(y2 -y1)™1 —-x12<a< (v2 —y1)-1 —X. 
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4.4.8 Summary of Inequality Analysis 


The results obtained from the seven cases are summarized in Table 4.1. 


Table 4.1: Summary of @ Boundaries 






































































































































Case Polarity of A, B Parity of k Boundaries of a 
1 A>B>0 NA. — (222) xy Sa < (MEET — xy 
2 | A<0,B>0,B‘>|A/‘| Odd —~(yo—y1)t —m < @< (yo —-y1)t —D 
3 | A>0,B<0,A‘> |B | Odd ~(y1 -y)t —11 << (y1 —y2)E— 
4 A,B < 0,|A| > |B Odd | —Gn-yi)Ft—21 << Qn —y) FT 21 
5 | A<0,B>0,B>|A| Even | —(yo—y1)FT—x) << (y2—-y)ET— xy 
6 | A>0,B<0,/B)>A | Even (2 —y) ET 2 < & < (yg) 
7 A,B <0,|B| > |A| Even ~(¥) —y ET — x9 << (2 —y) JET — x 









































4.5 Analysis of Bounds 

The start state to form the lower and upper bounds is to take the difference between the 
two y-values that were easily obtained publicly. For simpler calculations, a positive differ- 
ence can be obtained by identifying the bigger component and then subtracting the smaller 


component from it. 


It was found that both the lower and upper bounds of & are constrained by the differences 


in the k" or (k — 1)" root of the y-value differences and the x-variable, or vice versa, 
y 











depending on the assumption of whether A* or B* is larger. 





The initial assumption was that computation may be easier with even values of k, since 
even powers of positive or negative functions still produce positive results. However, it 


was found that the factor that limits computational efficiency is the presence of absolute 














values of either A or B. For absolute values, there is no easy way to determine whether the 
actual result would be positive or negative, and hence the inequalities identity needed to be 
applied in order to find the bounds of q@. 


The crux is that as long as two shares are gathered together, the value of @ can be de- 
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rived easily through exhaustive means. The computation is simplified even further if the 


differences between the y; values found are small. 


Once the value of @ is found, it then remains to substitute back into the general equation 
yi = (x; + a) — bg to determine by. When bo is found, it is trivial to find 


f(x) = (x+ a)* — do, 


f(0) = ak — bo = secret. 


4.6 Cases over Finite Field Z, 


Computing the above arithmetic over the infinite integer ring Z will result in large ranges 
of @ for which the initial polynomial can be expressed as the form f(x) = (x+ a)* — do. 
If the above arithmetic is computed over the prime field Z, instead, then the polynomial 
form of f(x) = (x+ a)* — bo could be achieved easier as many of the coefficients would 
be reduced to 0 after performing modular arithmetic over the prime field. Thus, there is 
justifiable motivation behind the modular prime arithmetic to reduce the ranges of & to be 


finite and more manageable. 


It was discussed earlier that the general equation f(x) = ag + a,x +--- +a,x* can be ex- 


pressed as 
f(x) = (x+ a)" —Bo, 


= 4 (isa + (5) a0 Pe? ++ a — bo, 


k-1 
xk ye cjx"—) + gk 
i=1 


= be: 








Computing arithmetic over Zz, where k is prime, gives the following result: 


f(x) =x* +a — bo. 


And the secret is recovered as f(0) = a* — bo. 
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4.7 Computational Example 


A computational example is used to illustrate the effectiveness of the analysis. 


4.7.1 Trivial Case 
The following {3,n} example has n shares and a threshold of 3 with n participants and | 


dealer. Consider the quadratic (degree 3 — 1 = 2) polynomial generated by the dealer to be 


f(x) =7+4x+x. 


The dealer then generates the following n shares to be released to the public, namely 
(1,12), (2,19), (3,28), (4,39), (5,52), (6,67)---(%,yn). It is only necessary to find any 


combination of two shares to determine the value of a. 


For example, if two shares, Share#1 (2,19) and Share#2 (4,39), are found by any individ- 
ual, the general equation f(x) = (x + a)* — bo can be used as a base, and the public share 
values that were obtained can be substituted into the general equation: 


GeneralEgn : f(x) = (x+a)* —bo, 


Share#1 : 19 = (2+ a)* — bo, 
Share#2 : 39 = (4+ a)* —bo, 
Share#2 — Share#1 : 20 = (4+ a)*—(24+a)* 
In this trivial example, if the dealer dictated that any two shares are enough to recover the 


secret (k+ 1 = 3), then finding the value of a is trivial, as one could use the difference of 
squares factoring. In the case of k = 2, then 


20 = (4+ a)?—(2+a)’, 


= (44+a@+2+a) x (4+a-2-a), 
= (6+2a) x (2). 


Computing bo, 


bo = (2+a)” —-19, 
= (2+2)?-19, 


which gives the secret as 


4.7.2 General Cases of k 


Consider another numerical example, a {4,1} threshold scheme, where the dealer- 
generated polynomial is 
f(x) =x? +6x? +12x45. 


The secret is, of course, S = a9 = 5. The public shares generated, of the form (xj, yj), are 
(1,24), (2,61), (3,122), (4,213), (5,340),--- ,(%n,»,). Assuming that two random shares, 
(1,24) and (3,122), are obtained by an eavesdropper, and the eavesdropper decomposes 
the public shares into the generalized formula y; = (x; + a) — bo for secret recovery, where 
k= 3, 

24=(1+a)?—bo, 

122 = (3+a)?—bo, 


~, (122—24) = (3+.a)? — (1+ a)’. (4.8) 


This essentially gives a cubic polynomial to solve for the value of a. 


Next, consider the general case for k values. For a {k+ 1,n} threshold scheme, the gener- 
alized form is 
yi-yj = (xi +a) —(xj +a)*. (4.9) 


The problem now reduces to finding the value of @, and it can be challenging depending 
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on how large k is. 


The analysis provided a convenient reference table in Table 4.1. In the numerical example 
in this section, the boundaries of @ would be one of Cases 2, 3, or 4 (with k odd). Hence, 


a satisfies one of the following inequalities (Case 2 = Case 4): 


or 


Substituting all the known values from the public shares, and combining all the known 


information, the following is obtained: 


W/—98 —3 <a < W983. 


Since & is an integer, the ceiling of the bounds is taken and the following is obtained: 


—8<a<2. 


With these values of @, the value of bo can be found easily. Table 4.2 shows the values 


found from the iteration. 
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Table 4.2: Possible Secret Values 





Secret = f(0) = (a)* — bo 








a bo 

-§ | -367 
Flo 
-6 | -149 
-5 | -88 
4| -51 
235-259 
25). 295 
ef '|i-94 
0 | -23 
1 | -16 
2 3 











-145 
-103 
-67 





It is easy to compute from Eqn. (4.8) that a& = 2, and therein lies the secret value S$ = 
ag = 5. From Table 4.2, the eavesdropper knows that the secret is one of the 11 values 
of f(0). Hence, from an infinite number of choices (or a large finite number of choices), 


with just two known shares, the eavesdropper has reduced the number of secret possibilities 


drastically. 


29 





4.7.3. Common Factors in Polynomial Coefficients 

The significance of a can be related in the generalized form of f(x) = (x+a)* — bo. If the 
dealer-generated polynomial contains coefficients that have a common factor(s), then it is 
clear that @ can take on the values of the common factor(s). This observation came from 
the fact that the generalized form of f(x) is essentially a binomial expansion of the first 
term, and hence, the dealer needed to be careful when randomly generating the coefficients 
to form the polynomial for secret sharing. 


The above finding leads to another observation. If the dealer generates a polynomial con- 
taining prime coefficients, then the generalized system derived from this thesis would not 


be applicable, as there are no common factors in prime coefficients. 


4.7.4 Outcome 

In a bid to continue finding ways to simplify a given polynomial to linear or monic form, 
the Fundamental Theorem of Algebra [3, pp. 254, 288] is referenced. The theorem 
states that any polynomial f(x), can be factorized over the complex number field C, as 
f(x) = anT]_, (x — @%), where n is the degree of the polynomial f(x). For this analysis, 
by extension, this essentially means that any given dealer-generated polynomial (including 
non-monic polynomials) can be reduced to monic polynomials such that the generalized 
form of f(x) = (x+ a) — bo can be applied to reconstruct the secret from just two public 
shares. 


It was claimed, and found, that not all monic polynomials can be reduced to the general 
form as proposed in this thesis. For non-monic polynomials, an eavesdropper or outsider 
can attempt to transform the polynomial to either a non-linear, or a monic polynomial form. 


Opportunities for future work of this nature are discussed in Chapter 6. 


Therefore, it is important for the dealer to generate the secret polynomial with coefficients 
that do not contain a common factor. More often than not, the common factor could be the 
value of & for an eavesdropper or outsider whose main purpose is to reconstruct the secret 


efficiently by using only two public shares that are obtained easily. 
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CHAPTER 5: 
Side-Channel Effect on AES 





In cryptography, instead of gaining access to a cryptosystem through its algorithm, side- 
channel attacks are any form of attacks that are based on any viable information from the 
physical implementation of such a cryptosystem. Common physical parameters, including 
power consumption, timing codes, and operating noise level, can be used to provide a 


means of breaking into and crippling the cryptosystem. 


This section discusses how the algorithms derived in Chapter 4 can be utilised to guard 
against side-channel attacks. 


5.1 Cryptographic Complexity 
A variation of a secret sharing scheme without the use of a cryptographic key is elaborated 
here. 


e Encode the desired secret K, to be an arbitrary binary string of length /. 

e Generate n random binary numbers A;,A2,--- ,A,;,, whose bit lengths are equal to the 
size of the secret key Kp, that is, also of length /. 

e Give to each participant one of A;,A2,--- ,A,—1, except for the last participant who 
receives the result of the following XOR function (Kp ®A1 @A2 ®--: PAn-1). 

e The secret can thus be recovered by gathering all of the participants’ values and 





performing © operations on all of them. 


This exclusive-or (XOR) variation, however, requires that all of the shares be pooled to- 
gether in order to recover the secret key K,. Compared to SSSS, this XOR method is 
relatively more straightforward, but offers a higher level of security since all of the partici- 


pants’ shares need to be present in order to recover the secret. 


Blakley [2] made use of the properties of space dimensions to implement his idea of an 
ideal secret sharing scheme. In a three-dimensional space, three non-parallel planes will 
intersect at a specific point, and that point of intersection constitutes the desired secret. In 


a {3,n} threshold scheme, where three shares are required to recover the secret, one can 
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still obtain some information about the secret. Graphically, this can be viewed as having 
information about the intersection of two non-parallel planes, which produces a line. The 
secret is thus narrowed down to an arbitrary point along the line, which can be easily 


recovered by substituting all the known axis values into the equation of the intersected line. 


The algorithm and reasoning described in Chapter 4 made use of the fact that the secret 
can eventually be recovered when partial information regarding the shares is known. The 
principle behind forming the inequalities is to apply viable heuristics to narrow down the 
possibilities of unknown factors to a manageable size and then to recover the secret using 


exhaustive search methodologies. 


5.2 Cryptographic Attacks 

Chapter 2 described the importance of the dealer. Here, the importance of the dealer is am- 
plified again during cryptographic attacks, where cyber attackers could hack into unsecured 
systems through side-channel attacks and steal the shares that should remain privy to only 
the participants. Since it would be impractical to regenerate the secret, uncompromised 
shares could still be updated and renewed to generate new shares for the participants. The 
non-updated shares that the attackers possess would become useless unless the attackers 
continue to obtain enough non-updated shares to reach the original threshold. The attack- 
ers would not be able to gain much information if they were to steal the updated shares 
since these updated shares provide only random information to the attackers. The dealer, 
in this scenario, possesses the ability to renew the shares, and in the process, render the 


non-updated shares irrelevant. 


5.3 AES 

In 2001, the Secretary of Commerce approved and issued the Federal Information Pro- 
cessing Standards Publications (FIPS PUBS) detailing the AES that can be used to pro- 
tect electronic data. Essentially, AES refers to a symmetric block cipher that can encrypt 
(encipher) and decrypt (decipher) information. Importantly, current AES algorithms are 
capable of using cryptographic keys of 128, 192, and 256 bits to encrypt and decrypt data 
in 128-bit blocks. The current AES became effective from 2001 onwards [12]. In par- 
ticular, the current AES is a block cipher that iterates ten cycles of repetitions of trans- 


formation rounds, with each of these transformation rounds involving the four stages of 
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AddRoundKey, ShiftRows, MixColumn, and SubByte, thus ensuring and enhancing the 


security. 


5.4 Implementing AES with SSSS 


Goubin and Martinelli [13], in 2011, proposed an original masking scheme that is based 
on SSSS that served as an alternative to Boolean masking. Goubin’s scheme built upon a 
credible complexity-security trade-off compared to Boolean masking. Typically, the pro- 
posed SSSS masking is centered around the signal-to-noise ratio (SNR) generated by the 
crypto application. For example, applications involving smart card implementation tend to 
have a higher SNR, and it was found that the first-order of SSSS masking provided better 
security and less complexity than third-order Boolean masking. For hardware implemen- 
tations where the noise can be reduced drastically, the same first-order of SSSS masking 
can produce results that are comparable to the fourth-order of Boolean masking, thereby 
amplifying the advantages of SSSS masking for applications of low SNR. 


Following Goubin and Martinelli’s [13] claim of better efficiency in their proposed scheme 
of SSSS masking versus Boolean masking, Coron et al. [14], in 2013, exhibited a flaw in 
this scheme by proving that the scheme can always be broken by a first-order side-channel 
analysis (SCA). In addition, Coron et al. proposed an improvement to the evaluation 
of the k-degree polynomial using Discrete Fourier Transformation (DFT) that reduces the 
evaluation time taken from O(n”) to O(n), thereby effectively reducing the complexity 


from third order to second order. 


Consider the success of reducing the computational complexity of manipulating a k‘”- 
degree polynomial into a manageable polynomial of the form f(x) = (x + a)* — bo, with 
smaller cardinality. The masking field operations in [13] similarly introduced two sensitive 
variables b and u following SSSS. The XOR operation with the second variable u was 
used to mask the sensitive variable b, where b = (x;,y;),0 < i < k(degree) in the following 
manner: 


(x},9%) ae (Xi, Yi @u). 


Multiplication by any scalar c will yield the following: 
(x).94) v (Xi, Yi C): 
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Working in a field of characteristic 2 squaring is GF (256)-linear: 


(xi,y4) © (x7,97)- 


Here, it is noted that the product of two newly introduced variables that are protected by 
any secret sharing scheme cannot be solved using any algebraic transformation that is linear 
in nature, since taking the product of two k’’-degree polynomials will yield a polynomial 
with at most 2k degree in this finite field. In such cases, linear approximation will not be 


possible. 


In the same research paper, Goubin and Martinelli [13] also stated that the security of SSSS 


against any form of SCA is based on the following selected points: 


e For polynomial interpolation, at least (k + 1) shares are required to define a polyno- 
mial of degree k. 


e The computation of /;(x) is independent of any secret share that can be found. 


Through these findings by Goubin and Martinelli, the analysis in the earlier chapters can 


be similarly extended to the following: 


e The computation of /;(x), and subsequently the secret, is independent of any public 


shares that can be obtained. 


5.5 Monic Generator Polynomial for Secret Sharing 

The analysis in Chapter 4 provides an alternate methodology to recover the secret with 
less-than-expected available information. It effectively reduces the evaluation of the monic 
polynomial to O(n), since only linear algebra is involved. The objective of reducing the 
linearity is due to the fact that linear equations are easier to solve, which is the main moti- 


vation behind cryptanalysts’ desire to approximate non-linear components with linear ones. 


Although the coefficients could be generated randomly, from a security perspective, the 
level of security can be elevated by carefully choosing the coefficients of the generated 
polynomial. For improved security, the dealer should avoid generating the polynomial 


using successive binomial integers as its polynomial coefficients. This further amplifies the 
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importance of the dealer when generating the polynomial for secret sharing. 
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CHAPTER 6: 


Conclusion 





6.1 The Perfect Secret Sharing Scheme 


A lot of research has focused on the creation of a perfect secret sharing scheme. There are 
no known weaknesses of Shamir’s Secret Sharing Scheme, other than the computational 
inefficiency if the generated polynomial comprises large degrees. While many improvised 
secret sharing schemes have proven more effective than SSSS, they have only been better 


under certain parameters; there is always a trade-off with some parameter of the scheme. 


6.2 Future Work 


Further research can be done in the following fields to enhance the efficiency of the current 
SSSS. 


6.2.1 Ramp Secret Sharing 

Ramp secret sharing involves the gradual leakage of information, subjected to a dealer- 
generated polynomial of degree (t + /— 1), where t participants have no information at the 
beginning. As each additional share is leaked subsequently, the bits of information that can 
be deciphered per share is calculated to be equal to /ogq bits. This means that only (¢ + /) 
participants can recover all secrets. This is also known as a (t,t+/,n) ramp scheme, where 


n<q-l. 


If the dealer-generated polynomial in ramp secret sharing schemes can also be reduced to 
the generalized form f(x) = (x + a)* — bo or the equivalent, then it may prove to be suf- 
ficient to obtain just two shares, and the secret can be recovered easily through exhaustive 


means of substituting the value of @. 


6.2.2 Prime Numbers as Polynomial Coefficients 
The dealer-generated polynomial comprises random integer coefficients. An in-depth 
research of prime coefficients may yield different approaches to recovering the secret 


because the monic polynomial now cannot be easily reduced to the generalized form 
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f(x) = (x +a)‘ — bo or the equivalent, since each of the prime coefficients (p1, p2,-+* ; Pn) 
can only yield 0 when performing mod (p1, p2,--: , Pn), respectively. 


6.2.3 Composite Functions of Polynomials and the Fundamental The- 
orem of Algebra 


In Section 2.3, the composite function of f(x) = h(x) o g(x) was mooted as an alternate 
form to simplify the mechanics of SSSS. The function g(x) was assumed to be linear, and 
hence, allowed the generalised form upon which this thesis analysis is based. Consider the 
alternate form where the dealer-generated polynomial h(x) can be expressed in the form 
f(x) = ap x (x— a) 


known as the Fundamental Theorem of Algebra. 


x (x — B)*, by applying another linear function g(x). This is also 
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APPENDIX: Diffie-Hellman Key Exchange 





A.1 What Is Diffie-Hellman (D-H) Key Exchange? 


In cryptography, Diffie-Hellman (D-H) key exchange is an encryption algorithm that is 
implemented to establish a secret between two parties. This form of key exchange is 
very prevalent in real-world symmetric encryption algorithms such as the Rivest-Shamir- 
Adleman (RSA) algorithm. It is a specific method of exchanging cryptographic keys over 


a public channel, but is only decipherable by the relevant parties. 


The mechanics of the D-H key exchange is illustrated as such: 


e Say Albert and Bernard wanted to establish a secret s, among themselves, but do not 
want anyone else to know about the secret. 

e First, both parties have to agree on a prime number p, and a base g. Note that g is a 
primitive root modulo p. 

e Albert then chooses a secret integer a, which only he himself knows, and computes 
A= g" (mod p). 

e Bernard, like Albert, also chooses a secret integer b, which only he himself knows, 
and computes B = g” (mod p). 

e Albert then sends the value of A to Bernard, and likewise, Bernard sends the value of 
B to Albert. 

e To recompute the shared secret s, Albert computes s = B* (mod p), and likewise, 
Bernard computes s = A? (mod p) to obtain the secret s. 


This algorithm is secure because the values of a and b are secure and known only to the 
relevant parties. All other values can be sent in the clear, and potentially be intercepted by 
other eavesdropper parties, but the eavesdropper parties will not be able to decrypt the code 


due to the lack of knowledge of a and b. 


A.1.1 Example 


e Albert and Bernard agree on p = 23, and g = 5, where 5 is a primitive root modulo 
23. 
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Albert chooses secret integer a = 9, and computes A = g“ (mod p)=5° (mod 23) = 


12. 
e Bernard chooses secret integer b = 13, and computes B = g? (mod p) = 5° 
(mod 23) = 2. 


Albert sends A = 12 to Bernard, and receives B = 2 from Bernard. 
e Albert then recomputes the secret s = B“ (mod p) = 2? (mod 23) = 6, and Bernard 
computes the secret s = A? (mod p) = 12!° (mod 23) =6. 


The secret s = 6 can then be used as an encryption key (which is only known to the both of 


them) to send messages across open communications channels. 


The D-H key exchange algorithm works because of the properties of modulo exponents: 
A’ (mod p) =(g* (mod p))’modp = g*” (mod p), 


B“ (mod p) =(g” (mod p))“modp = g”" (mod p), 


ge” (mod p)=g"™ (mod p). 


Note that for this key-exchange algorithm to work, the base g must be chosen to be a 


primitive root, or a generator of prime p. 
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